tofu.h (1418B)
1 #ifndef GEMINI_TOFU_H 2 #define GEMINI_TOFU_H 3 #include <bearssl.h> 4 #include <limits.h> 5 6 enum tofu_error { 7 TOFU_VALID, 8 // Expired, wrong CN, etc. 9 TOFU_INVALID_CERT, 10 // Cert is valid but we haven't seen it before 11 TOFU_UNTRUSTED_CERT, 12 // Cert is valid but we already trust another cert for this host 13 TOFU_FINGERPRINT_MISMATCH, 14 }; 15 16 enum tofu_action { 17 TOFU_ASK, 18 TOFU_FAIL, 19 TOFU_TRUST_ONCE, 20 TOFU_TRUST_ALWAYS, 21 }; 22 23 struct known_host { 24 char *host, *fingerprint; 25 int lineno; 26 struct known_host *next; 27 }; 28 29 // Called when the user needs to be prompted to agree to trust an unknown 30 // certificate. Return true to trust this certificate. 31 typedef enum tofu_action (tofu_callback_t)(enum tofu_error error, 32 const char *fingerprint, struct known_host *host, void *data); 33 34 struct gemini_tofu; 35 36 struct x509_tofu_context { 37 const br_x509_class *vtable; 38 br_x509_decoder_context decoder; 39 br_x509_pkey *pkey; 40 br_sha512_context sha512; 41 unsigned char hash[64]; 42 struct gemini_tofu *store; 43 const char *server_name; 44 int err; 45 }; 46 47 struct gemini_tofu { 48 struct x509_tofu_context x509_ctx; 49 br_ssl_client_context sc; 50 unsigned char iobuf[BR_SSL_BUFSIZE_BIDI]; 51 char known_hosts_path[PATH_MAX+1]; 52 struct known_host *known_hosts; 53 int lineno; 54 tofu_callback_t *callback; 55 void *cb_data; 56 }; 57 58 void gemini_tofu_init(struct gemini_tofu *tofu, tofu_callback_t *cb, void *data); 59 void gemini_tofu_finish(struct gemini_tofu *tofu); 60 61 #endif